Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN connects to the next configured gateway.

Authentication Method

Select X.509 Certificate or Pre-shared Key in the dropdown list. When you select x.509 Certificate, select Prompt on connect or a certificate from the list.

Authentication (XAuth)

Select Prompt on login, Save login, or Disable. Available if IKE version 1 is selected.

Authentication (EAP)

Select Prompt on login, Save login, or Disable. Available if IKE version 2 is selected.

Aggressive: Phase 1 parameters are exchanged in a single message with authentication information that is not encrypted.

Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID).

Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP address and the IP address and subnet values to assign. Select the checkbox to enable split tunneling.

DHCP over IPsec: DHCP over IPsec can assign an IP address, domain, DNS and WINS addresses. Select the checkbox to enable split tunneling.

Phase 1

Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

Select one or more Diffie-Hellman groups from DH group 1, 2, 5, 14, 15, 16, 17, 18, 19 and 20. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups results in failed negotiations.

Key Life

Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.

Local ID

Enter the local ID (optional). This local ID value must match the peer ID value given for the remote VPN peer’s peer options.

Dead Peer Detection

Select this checkbox to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.

NAT Traversal

Select the checkbox if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably.

Phase 2

Select the encryption and authentication algorithms that are proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals you specify must match configuration on the remote peer.

The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.

Enable Replay Detection

Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.

Enable Perfect Forward Secrecy (PFS)

Select the checkbox to enable perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.

DH Group

Select one Diffie-Hellman (DH) group (1, 2, 5, 14, 15, 16, 17, 18, 19 or 20). This must match the DH group the remote peer or dialup client uses.

+

Select the add icon to add a new connection.

-

Select a connection and then select the delete icon to delete a connection.

Click Save to save the VPN connection.

Configuring IPsec VPN connections

On the Remote Access tab, click Configure VPN.

Select IPsec VPN, then configure the following settings:

Connection Name

Enter a name for the connection.

Description

(Optional) Enter a description for the connection.

Remote Gateway

Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN connects to the next configured gateway.

Authentication Method

Select X.509 Certificate or Pre-shared Key in the dropdown list. When you select x.509 Certificate, select Prompt on connect or a certificate from the list.

Authentication (XAuth)

Select Prompt on login, Save login, or Disable. Available if IKE version 1 is selected.

Authentication (EAP)

Select Prompt on login, Save login, or Disable. Available if IKE version 2 is selected.

Aggressive: Phase 1 parameters are exchanged in a single message with authentication information that is not encrypted.

Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID).

Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP address and the IP address and subnet values to assign. Select the checkbox to enable split tunneling.

DHCP over IPsec: DHCP over IPsec can assign an IP address, domain, DNS and WINS addresses. Select the checkbox to enable split tunneling.

Phase 1

Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

Select one or more Diffie-Hellman groups from DH group 1, 2, 5, 14, 15, 16, 17, 18, 19 and 20. At least one of the DH group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups results in failed negotiations.

Key Life

Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.

Local ID

Enter the local ID (optional). This local ID value must match the peer ID value given for the remote VPN peer’s peer options.

Dead Peer Detection

Select this checkbox to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.

NAT Traversal

Select the checkbox if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably.

Phase 2

Select the encryption and authentication algorithms that are proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals you specify must match configuration on the remote peer.

The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.

Enable Replay Detection

Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.

Enable Perfect Forward Secrecy (PFS)

Select the checkbox to enable perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.

DH Group

Select one Diffie-Hellman (DH) group (1, 2, 5, 14, 15, 16, 17, 18, 19 or 20). This must match the DH group the remote peer or dialup client uses.

+

Select the add icon to add a new connection.

-

Select a connection and then select the delete icon to delete a connection.